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Title o£ the Invention 

REMOTE RECORDING COMPUTER VOTING SYSTEM 
^ Field of the Invention : 

I 5 This invention relates to automated and/or electronic 

^ voting systems used for conducting public elections. A single- 

use design is disclosed in which certain components are 
mamufactured specifically for use in one election. A system is 
also disclosed that provides a voter interface allowing votes to 
10 be cast, recorded, and tabulated in a secure manner using 
logical functions to automate the process. Remote recording is 
also used to facilitate the rapid, centralized collection of 
votes. The above system performs the above-mentioned functions 
while maintaining voter anonymity. 

15 

Background of the Invention ; 

Many prior designs have attempted to utilize computer based 
equipment and programs to count votes during public elections. 
Prior art systems have generally attempted to conputerize the 

20 functions of mechanical voting machines and have attetr5)ted to 
integrate the complete process of voting, such as registration. 
However, in some cases, the desire to "automate" and/or 
"integrate" various functions and to provide "adaptive" systems 
has resulted in undue conplexity. Prior designs have also 

25 overemphasized reusability without the consideration of economic 
feasibility. 

A number of prior art systems have provided automated 
voting systems. Wise et al., U.S. Patent No. 5,218,528, 
disclose a system which "integrates the stages of registering 
30 and certifying voters and collecting their votes". They 
further disclose the incorporation of an "interactive graphic 
interface for vote entiry" . This type of system takes advantage 
of existing technology and provides some desiradDle attributes. 
However, such a design adds greatly to the system's complexity 
^ 35 and cost. In addition, the implementation described does not 
^ provide for operation in some states where a "full face ballot" 

% must be used. (The tearm "full face ballot" describes a ballot 
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in which all candidates for all electoral races must be 
presented to the voter at once. At the present time, some 
states require this type of ballot.) Additionally, the Wise et 
al. design requires the voter to exercise control over the 
5 system operation by performing more actions than necessary to J 
cast a vote. These include selecting a presentation language, 
paging through the election races on screen, and physically 
entering an access code. While these operational aspects may 
provide greater adaptivity, they are not desirable for quick and 

10 efficient voting. 

Boram, U.S. Patent 4,641,240, discloses an electronic 
voting machine and system. While Boram allows for computer 
control of voting, important system concerns are not addressed. 
The design essentially replicated the function of the mechanical 

15 voting machines it was intended to replace. However, it also 
replicated the problems and limitations of the mechanical voting 
machine. Boram describes a process whereby the ballot is 
comprised of push-button switches arranged in rows and columns 
and overlaid with a printed list of candidates and issues. 

20 However, this presents a potential for breech of security either 
through accident or through plaxmed tair^ering. The potential 
exists since the list could be intentionally moved or 
accidentally placed over switches which do not record the voters 
intended vote. 

25 Boram also uses the limited row cOid column layout typical 

of older mechanical voting machines. This type of layout 
constrains the ballot design to fit within the rows and columns 
defined by the physical attributes of the machine. This type of 
layout does not possess the capability of being connected to a 

30 centralized processor for control and vote tallying. Life cycle 
costs of this design would be substantial due to the 
obsolescence of available parts, the transportation and storage 
costs associated with the machines' size, and the replacement 
cost of components. In this regard, some conqponents are 

35 statistically prone to failure through handling damage and ^ 
excessive wear. Such con5)onents include memoary cartridges and j 
battery backups. > 
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Anno et al., U.S. Patent No. 5,189,288, disclose a method 
and system for automated voting. Anno et al. describe a 
computer voting system that utilizes a "Key Card" containing 
^ election data to convey vote control to a vote recorder. After 

j 5 use by the voter, the "Key Card" is returned by the voter and 
the vote data is then recorded from the "Key Card" . However, 
the information in the Anno et al. key card creates undue 
complexity in the voting process by requiring an added level of 
supervision . 

10 The designs disclosed in Wise et al., supra, and Webb, U.S. 

Patent No. 4,774,655, relate to the capacity of available 
technology to perform voting tabulation. However, the prior 
designs do not relate to an in-depth scientific cuialysis of the 
requirements of public officials, public law, and the provisions 

15 necessary for fair, accurate, and secure voting. Also, a means 
to subsequently verify the system's operation through use of an 
audit trail with individual voter records or a data difference 
resolution methodology is lacking. 

Obsolescence is also a significant factor that must be 

20 considered in the design of electronic voting systems. The 
manufacturing cycle of state of the art components may make 
replacement and repair parts unavailable before the end of the 
system's useful life. As conponents and technology become 
obsolete, as in prior art voting machines and system designs, it 

25 becomes increasingly important to select technology that is 
ine3q>ensive, available in quantity, and replaceable with newer 
con5>onents as they become available. 

An example of obsolescence is shown by Boram, U.S. Patent 
No. 4,641,241. Boram discloses the design and use of a voting 

30 machine memory cartridge used to remove and store election data. 
The type of memory described is random access memory (RAM) which 
requires constant power so that the data is not lost - i.e., 
volatile memory. A cartridge design is utilized to facilitate 
handling. 

^ 35 Technology advances and design advances have rapidly 

^ advanced since Boram has issued in 1987. Memory technology 

• advances include the development of "Flash Chip" technology. 
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This memory medium is fxinctionally equivalent to RAM memory 
data. However, the incorporation of flash memory overcomes a 
significant potential failure area. In terms of facilitating 
the ease of handling, flash chips are now packaged in standard 
5 business card size modules with an electrical interface. The \ 

•it 

introduction of flash chip technology demonstrates that it is 
increasingly important for voting systems to be able to adapt to 
newer technology. 

Prior art systems do not provide for a defined audit trail 

10 for the complete operational cycle during an election. The 
prior art also fails to provide for specifically defined 
security processes and events that would make security breeches 
detectable. Moreover, the prior art does not provide for the 
collection of individual voter records recounting the actual 

15 ballots cast. 



SPMMaRY OF THE INVENTION 

The present invention provides a remote electronic voting 
system which provides improvement over the prior art by 

20 simplifying the hardware and software. The present invention is 
flexible and adaptable (1) through the availability of a single - 
use design (2) by incorporating defined security protection 
through both detection and inherent design and (3) by 
integrating and networking hierarchical systems at the precinct, 

25 city/county and/or state levels. Centralized hierarchical 
control and remote vote recording with secure collection are 
also provided. A process of immediate election certification by 
comparison and verification of redundantly recorded data is also 
provided. Time tagged data and a specific voter record are 

30 utilized as disclosed herein. The development and collection of 
a full audit trail for post election certification is also 
defined. A methodology of supplying machinery for public 
elections by defining a single use "kit" concept for certain 
system elements is disclosed to thereby reduce costs and afford 

35 system security. ^ 
Also described herein is an electronic "security key card". ^ 
Unlike the prior art, the security key card is only used to - 
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convey the authority of the card holder to vote. It is (1) 
issued when the voter's registration is verified, (2) contains 
a unique code electronically written on a magnetic strip, (3) 
p can only be used one, and (4) is disposable after use* It 

5 contains no control data, no election data, nor does it record 
^ any vote data. In this case, the prior art is improved by 

specific simplification of the electronic security key card. 

This invention also includes an audit trail and an 
individual voter record which are specifically defined. Methods 

10 employed in this invention, as disclosed, reveal how this 
critical data is used to assure system integrity and accuracy. 
Specific data processing techniques are used to produce 
specifically defined data storage information which is stored 
with the actual data. These processing techniques produce a 

15 storage data header; a digital description of the data; multiple 
check sums of the stored data and its associated header; and 
data word parity (a digital description of whether the data word 
is even or odd) . This data storage information ensures that the 
stored data is true. However, should an error be detected, the 

20 error can be corrected through "detect and correct" processing 
incorporated within the system. 

The methodology of processing and storing the critical data 
of the present system incorporates rediindant memories as a 
defense against catastrophic failures, loss, and/or damage of 

25 the transportable memory devices. 

A complete system for conducting public elections is 
disclosed to meet the legal requirements of many jurisdictions 
and provide secure, centralized, automated vote tabulation. The 
present system consists of a precinct level system, a city or 

30 county level system, and a state level system. The basic system 
or "precinct system" is a single -use system and is composed of 
"1 through n" electronic ballots connected to and controlled by 
a central precinct processor. The precinct system is further 
connected, controlled, and monitored by other hierarchical 

• 35 systems which may be located at the city/county and/or state 

levels . 

* Security of the electronic ballot is controlled by a 
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disposable electronic security key card which is provided to 
each voter. With the security card, each voter may gain access 
to the electronic ballot and cast votes for each electoral race 
presented. Each security card contains a unique, system- t 
5 generated access number that can be used only once. This system , 
number is encoded as magnetic information on the secvirity key - 
card. With the present system, the voter may retain the 
security key card after voting or dispose of it at the polling 
place . 

10 Control of the electronic ballot (s) is provided by a 

central precinct processor. The central precinct processor 
communicates with the electronic ballot through electronic 
interface circuit (s) . Logical input channels and logical output 
channels (LIC/LOC) , contained with the electronic interface 

15 circuits, read the votes cast by the voter. The LIC/LOC 
circuits also control indicators on the electronic ballot to 
confirm the vote selected. After the voter has completed voting 
and removed the magnetic key card, the precinct processor 
records the votes cast in an individual electronic voter record 

20 eOid resets the electronic ballot. The electronic voter record 
is then used to accurately secure vote tallies and recounts. 
Like a marked paper ballot, the electronic record is a true 
record of the votes cast by an individual voter. 

The central precinct processor system provides for precinct 

25 operator interface and precinct control of the system. The 
operator can run tests, monitor various system functions, and 
utilize built in test functions to troubleshoot and repair 
system and component failures and to also detect security 
compromises . The central precinct processor also performs 

30 communication fianctions with higher level systems if the 
installation is so configured. Higher level communication 
functions may include (1) centralized start cuid stop commands, 
(2) system monitoring, (3) data collection, and (4) on-line 
certification processes. All communications are via encrypted 

35 data transmission. ♦ 
This invention incorporates (1) a single-use precinct 
system and associated electronic ballots, (2) a higher level * 
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city, coxinty, and/or state level data collection system, (3) a 
maintenance monitoring facility, (4) associated security 
provisions, (5) processing to control system functions, (6) a 
defined audit trail, (7) a defined electronic voter record, (8) 
5 system self diagnostics, (9) specific operator displays and 
displayed data, and (10) processes by which the system is 
designed manufactured, shipped, installed, and operated. Also 
included is (1) the method of kit component collection, (2) the 
delivery of the kit, and (3) the secure handling of sensitive 
10 conqponents through the "chain-of -custody" process. 

The present invention provides an automated voting system 
that utilizes electronic components with logical processes and 
specific security method to provide cost effective, secure 
collection of votes cast in public elections. The present 
15 invention also provides automated vote tabulation and is also 
adaptable to the specific needs and laws of the jurisdiction in 
which the system is being used. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a Voting System Block Diagram showing a 
Functional Allocation of each voting level. 
Figure 2 is a Precinct System Diagram. 

Figure 3 is a City/ County Block Diagram, showing a Remote 
Recording Electronic (RRE) Configuration. 

Figure 4 is a State Block Diagram Remote Recording 
electronic (RRE) Configuration. 

Figure 5 is a Secure Single -Use Voting System Method. 
Figure 6 is a Critical Data Processing and Method showing 
a critical data element and header. 

Figure 7 is a Test Valid Critical Data Store Method. 
Figure 8 is a Detect and Correct Process Method. 
Figure 9 is an Audit Trail Processing Functional Block 
Diagram . 

Figure 9a is an Audit log Post Election Processing 
Verification Report. 

Figure 10 is an Electronic Voter Record and Vote Tally 
Processing Functions and Method. 
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Figure 11 is a Security Processing Functional Block 
Diagram. 

Figure 12 is a Statistical Processing Functional Block 
Diagram. 

Figure 13 is an On-Line Maintenance and Monitoring Process 
Functional Block Diagram. 
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faystem Fre-tesu. 




Figure 


21 


is a 


Ready- to- Vote Display. 
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Figure 


22 


is a 


Precinct Status Display. 




Figure 


23 


is a 


Precinct Statistics Display. 




Figure 


24 


is a 


Help Status Display. 




Figure 
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is a 


City/County Status Display. 




Figure 
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is a 


City County Statistics Display. 
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Figure 


27 


is a 


Select Precinct Display. 




Figure 
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is a 


County Status Display. 




Figure 




is a 


District Based Statistics Display. 




r igure 




shows Common Logical Processing Functions. 




Figure 


31 


is 


a flow chart of Self -Validation Logical 




Processing. 










Figure 
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is a 


flow chart of Audit Trail Processing. 




Figure 


33 


is < 


a diagram of a Typical Electronic Ballot 




Layout . 










Figure 
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is a 


diagram of a Rhode Island Sanple Ballot, 
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Figure 


35 


is a 


diagram of a Split Ballot. 




Figure 


36 


is 


a diagram of a Split Ballot with Common 




Referendum Issues. 






Figure 


37 


is 


a diagram of a Split Precinct Ballot 




Configuration . 
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Figure 


38 


is 


a diagram of a Split Precinct System 




Configuration . 








Figure 
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is a 


Multi-Vote Race Ballot with Vote Counter. 
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Figure 40 is a Multi-Vote Race with Multi-Votes Per 
Candidate Allowed. 

Figure 41 is a Central Precinct Processor Functional Block 
Diagram. 

5 Figure 42 is a flow chart of a Stand-Alone Precinct Test 

Function. 

Figure 43 is a flow chart of a Build Valid Precinct. 

Figure 44 is a flow chart of a Start Audit Log. 

Figure 45 is a flow chart of Run Communications. 
10 Figure 46 is a flow chart of an Establish and Test 

Commiinication . 

Figure 47 is a flow chart of a Run Memory Test. 

Figure 48 is a flow chart of Test Key Card Writers. 

Figure 49 is a flow chart of a Test Electronic Ballot. 
15 Figure 50 is a flow chart of a Vote Precinct. 

Figure 51 is a flow chart of an Initialize and Verify 
System. 

Figure 52 is a Ready- to- Vote diagram. 

Figure 53 is a flow chart of a Run Vote. 
20 Figure 54 is a flow chart of a Record Vote. 

Figure 55 is a flow chart of a Validate Key Card. 

Figure 56 is a flow chart of Run Ballot n. 

Figure 57 is a flow chart of Compile Vote Records. 

Figure 58 is a flow chart of an End Vote. 
25 Figure 59 is a flow chart of a Certify Vote. 

Figure 60 is a flow chart of a Run Certification 
Processing. 

Figure 61 is a flow chart of an End Precinct. 

Figure 62 is a flow chart of Statistics Processing. 
30 Figure 63 is a flow chart of a City/Coxinty/State Control 

Processing Functions. 

Figure 64 is a flow chart of a Pre-Election Test Function. 

Figure 65 is a flow chart of a Verify Storage and Set 
Precinct I/O. 

35 Figure 66 is a flow chart of Set Up Precincts and I/O 

Channels. 

Figure 67 is a flow chart of Process Secure Communications. 
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Figure 68 is a flow chart of Open Commiinications . 

Figure 69 is a flow chart of Collect Pre-Test Data. 

Figure 70 is a flow chart of a Certify Pre-Test. 

Figure 71 is a flow chart of an Open Polls Conmiand. 

Figure 72 is a flow chart of City/ County and State Data 
Collection Processing. 

Figure 73 is a flow chart of Run Secure Communications. 

Figure 74 is a flow chart of Validate Precinct diagram. 

Figure 75 is a flow chart of Collect Vote Data diagram. 

Figure 76 is a flow chart of Certify Election diagram. 

Figure 77 is a flow chart of Display Election Returns. 

Figure 78 is a flow chart of Shutdown Election. 

Figure 79 is a flow chart of a City/County Off -Line Data 
Processing Functional Block. 

DETAILED DESCRIPTION OF THE INVKNTION 

Figure 1, Voting System Block Diagram and Functional 
Allocation^ is a block diagram that discloses the overall system 
architecture by identifying the system's major conponents and 
their major functions. The system functions include: vote 
collection, data processing and recording, display processing, 
system control, and other functions. Figure 1 shows an 
implementation of the complete system as installed. 
Hierarchical control and recording capabilities from central 
state locations and monitoring facilities provide centralized 
operational and maintenance support. The system is organized 
from the lowest level element, the precinct system, through the 
state level. 

The precinct level is a fully operational, stand alone, 
direct recording electronic (DRE) voting system. The DRE voting 
system contains a central processor electronically interfaced to 
"1 through n" electronic ballots, as shown in Figure 2, Precinct 
System Diagram. The Precinct System Diagram of Figure 2 shows 
a dedicated voting system of single use design; i.e., it is 
intended for use in only one election, after which it is 
disposed. If the precinct system (s) are connected to a 
city/county control collection system, the system together is 
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then defined as a Remote Recording Electronic (RRE) voting 
system as shown in Figure 1 . 

The functions performed by the city/county and state 
processors are dependent on the laws of the jurisdiction. The 
5 functions may vary from simple on-line vote collection and 
performance monitoring to full control of lower level precinct 
processing. Control functions such as start vote, stop vote, 
time synchronization and other f mictions are provided. These 
functions may be changed, added, or deleted to allow the system 

10 to be adapted to the specific voting laws of the community. 
Figure 3 shows the City/County system in a Remote Recording 
Electronic (RRE) Configuration. 

Figure 4 shows a State System block diagram in the RRE 
Configuration. Its range of functions are dependent upon the 

15 jurisdiction of use. For exanple, some systems do not require 
state level tabulation. Accordingly, a state level processor 
may not be required. However, those states which desire a state 
level processor can choose the same range of control options 
available to the city/ county processors. 

20 As shown in Figures 3 and 4, those communities using a 

centralized city/county and/or state processor can opt for 
electronic information release. Data release options may 
include on-line statistical data collected throughout the voting 
period to final election results. Data releases may include a 

25 variety of outlets including the news media, various party 
headquarters, and/or other interested parties. 

Security of the system is afforded by a number of features 
including: data encryption as shown in Figure 1; security key 
access to the electronic ballot as shown in Figure 2; software 

30 self -validation; system hcindling methodology as shown in Figixre 
5 and the Secure Single-Use Voting Method System. 

An important aspect of this invention is the design of the 
dedicated precinct system as a "kit" intended for a single-use. 
The "kit" design relates to a method of providing voting system 

35 equipment for a dedicated single-use purpose. The kit design 
allows all components of the precinct system, as shown in Figure 
2, to be common with the exception of the electronic ballots and 
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the computer program which are tailored for each precinct and 
election. 

This kit design allows all con5)onents for all precincts to 
be centrally pre -positioned prior to an election. To make up a 
5 "kit", individual components of the voting system are packaged 
together and prepared for shipping to the system point of use, 
i.e,, the precinct. Upon arrival at the point of use, the kit 
is assembled and the full precinct system is ready for the 
election. After use, the system is disposed of. 
10 The specific methodology is graphically depicted in Figure 

5. The inventor (s) have determined cost savings and enhanced 
security is afforded by the method and the design. 
Specifically, the following attributes are realized. 

15 Cost Savings 

As shown in Figure 5, Secure Singe-Use Voting System 
Method, the kit design allows centralized warehousing of 
con^onent parts. Packaging of the kit is performed at shipping 
time by collecting the system components. The kit is shipped 

20 directly to its point of use just prior to the election and 
assembled. This method yields savings in system assembly, 
labor, storage, and shipping costs. 

After the election, it is contemplated that the system 
components may be disposed of. It has been determined that 

25 equipment handling, storage, maintenance, and reprogramming may, 
depending upon economic circumstances, be greater than the cost 
of simply replacing the equipment with new equipment on a per 
election basis. 

30 Methodology Security 

System components are collected randomly and then packaged 
as kits. Since there is no way of knowing where any specific 
component will actually be used, tampering with a particular 
component could not affect a specific election result. 

35 The warehousing method, collection of the kit component 

parts, and shipping directly to the point of -use is a "chain-of- 
custody" procedure, as shown in Figure 5. This precludes the t 
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chance of the election equipment being available to unauthorized 
personnel or potential tamperers. Specific kit components that 
must be protected are the electronic memory media containing the 
operational software and the memory where the vote data will be 
5 recorded. These components are shipped separately to election 
officials. The memories are sealed at the time of manufacture 
and later opened. Only the election officials or the election 
judges at the precinct may open the memories at the precinct 
from the sealed package. Multiple identical copies are provided 
10 from which the judges make a random selection of the computer 
program memories. These memories are then installed in the 
computer. At turn on, security processing is performed by the 
computer program to validate itself and to assure that tampering 
has not occurred. 

15 The disposal of the equipment after its use prevents the 

opportimity for tampering between elections when the equipment 
would normally be in storage. Since it is contenplated that the 
ecjuipment may be disposed of, analysis of the system and 
computer program techniques by a tanqperer may be precluded. 

20 

Advanced Features of the Invention 

Operational and processing advances include: 

a. critical data processing and methods; 

b. a defined audit trail; 

25 c. a defined individual voter record; 

d. defined security processes and operator 
notification alerts; 

e. statistical data collection and real time 
display; 

30 f . continuous system diagnostic processing; and 

g. defined displays. 

Critical Data- Processing and Methodology 

The critical data collected, processed, and saved or stored 
35 during use of the system is the audit trail and the individual 
voter record data. When combined, it may be determined that the 
system was properly functioning at the time a vote was cast and 
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that the vote data is, in truth, what the voter actually 
selected. The accuracy of this data must be guaranteed and 
provable to be correct. This is fundamental to the integrity of 
the system. 

5 Prior art systems have attempted to achieve guaranteed, 

provable data through redundant memory system data storage. 
However, redundant data storage alone, without a definitive 
process to define how differing data is resolved, cannot be 
proven to be true or accurate. 

10 Multiple memory systems are provided, as shown in Figures 

2, 3 and 4, as a defense against catastrophic failure, 
accidental loss, and/or damage of the memory devices. Accuracy 
and integrity of the data is assured through the use of data 
processing techniques that produce specifically defined storage 

15 information for the vote and audit trail data. 

In reference to Figure 6, Critical Data Processing-Method, 
these processing techniques produce a Critical Data Element for 
either a voter record or for an audit trail record (audit log 
record) . The raw data contained within the critical data 

20 element will vary in form and content when used as the voter 
record or the audit trail record. Accordingly, the Data Type, 
as shown in Figure 6, will indicate the type of information 
present in the Critical Data Element. 

The Critical Data Process is used to add information to the 

25 raw (unprocessed) information for each record. The information 
added to each record includes: a Critical Data Header; a Data 
Checksum; and a Data Element Checksum. Included within the 
Critical Data Header is the above-mentioned Data Type which is 
a digital description of the data type stored. Also included in 

30 the Critical Data Header, as described below, is a Time Tag, 
Number of Words, and word parity information corresponding to 
each word of the stored data. A Header Checksum is also 
provided which indicates the number of bits in the Critical Data 
Header . 

35 Figure 6 also shows the processing performed to produce the 

critical data header and multiple check sums. When the critical 
data process is performed to produce a record from the raw data, 

14 
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it first tests and sets a parity bit for each 8 bit byte of the 
raw data element. The raw data is then referred to as Record 
Unique Data. The process then continues and builds the Critical 
Data Header. The Critical Data Header consists of the Data Type 
identifier; a Time Tag which is the ciirrent real time of the 
system (a unique number for each Critical Data Element) ; and a 
Header checksum. The Header Checksum is a numerical addition of 
the data in the header with any overflow being ignored. 

A second checksum, Data Checksum, is built on the Record 
Unique Data and utilizes the same process. The Data Checksum is 
a numerical addition of all bits in the Record Unique Data with 
any overflow being ignored. The Record Unique Data is simply 
the raw data which has been processed for parity information as 
described below in reference to Figure 7. 

The final step in the critical data process is to build a 
third checksum. Critical Data Element Checksiim, for the entire 
Critical Data Element. The Critical Data Element Checksum is a 
numbered addition of all bits contained within the Critical Data 
Element. The Critical Data Element checksum is a unique number 
which incorporates the information from the time tagged number 
of words. 

This combination of header data, parity, and multiple 
checksums guarantees that the stored data is accurate and true; 
cuid, if a data error were to occ\ir, this combination would allow 
detection of the incorrect data and repair of the incorrect 
data. 

Figure 7, Test Valid Critical Data Store Method, 
illustrates the use of verification data produced by these 
processing methods to read. and verify the critical data. Each 
process that reads, stores or otherwise utilizes the critical 
data within the Critical Data Element checks the verification 
data record prior to performing any other process . This ensures 
that the information is correct. 

As shown in Figure 7, the Test Valid Critical Data Store 
process verifies the integrity of the Critical Data Element by 
regenerating the checksums contained with the Critical Data 
Element and con5>aring the result to the checksums generated and 
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Stored by the Critical Data Process of Figure 6. If the 
checksums are ecjual, the data is valid and the process is 
conqplete. Additionally, the integrity of the information has 
been verified to be correct. However, if the checksums are not 
5 equal, a Detect and Correct process, as outlined below in 

reference to Figure 8, is performed to find and correct the < 
incorrect data* 

Figure 8, Detect and Correct Process Method, shows the 
processing method performed to correct stored data errors. 
10 First, each checksum is tested to identify which part of the 
critical data element is incorrect. In other words, each 
checksum including the Header Checksum, the Data Checksum and 
the Critical Data Element Checksum is recalculated and compared 
with the stored value in the Critical Data Element. An 
15 incorrect match will indicate which portion of the Critical Data 
Element is in error. 

Next, a test of each parity bit corresponding to each byte 
of data is recalculated and compared with the stored value to 
determine which byte of data is incorrect. The combination of 
20 the checksum and parity information then provides a unique 
determination of the data bit or bits that are incorrect. The 
process then "repairs" the data, in a process described below, 
by setting the incorrect bits to their correct value. 

The repair process is shown by the Test Valid Critical Data 
25 Store of Figure 7. First, the stored information is read. 
Next, the parity information for a corrupted byte is analyzed. 
The parity information for each byte of data will identify which 
byte has the incorrect data. Each possible combination of bits 
for the incorrect byte is then sequentially generated and added 
30 to the other bytes in the record. The checksum is then 
recalculated and compared with the stored value. This process 
is repeated until the value of the added bytes equals the 
checksum. The incorrect byte is then replaced with the 
"generated" byte to thereby repair the incorrect byte. This 
35 process may be used to repair either the Critical Data Header or * 
Record Unique Data. 

Finally, the process generates an audit log record of the ♦ 
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10 



fact that the record was repaired. This feature, incorporated 
together with the specified voter record content and the 
methodology used to tally election totals, yields an accurate 
and secure election system. These techniques are used 
throughout the system for any process that stores, reads, or 
uses critical data. 

This method assures the accuracy of the critical data 
elements produced by this invention, the audit trail, and the 
individual voter record. 



Audit Trail 

Security and credibility are key issues that must be 
accommodated by an automated voting system. To facilitate these 
issues this invention includes a specific audit trail that is 
15 continuously updated and records each system event in a time 
ordered secjuence. Audit trail data is critical data and 
incorporates the critical data process methods previously 
defined. Event data is produced by each major processing 
function and a specified data record is also produced that fully 
20 describes the event. This data is redundantly stored in 
multiple data memories. 

Figure 9, Audit Trail Processing Functional Block Diagram, 
illustrates the production of data by each major processing 
fxinction and shows the data logged. The data provided is such 
25 that the complete operation of the system can be reproduced and 
the system's operation confirmed. This audit trail and the data 
included for each audit log entry in the audit trail are defined 
below : 

A. Time of log entry 
30 B. Time of event occurrence 

C- Event category 

!•) System Turn On 

2. ) Ballot Access 

3. ) Ballot end Access 

35 4.) Vote Entry, Vote Confirmation Commanded 

5 . ) Operator Entry 

6. ) Maintenance Monitor Entry 
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7 . ; 


Failure Detection Process 


8 . ) 


On-Line Manual Test 




State Voter Record 


10 . } 


Pre-election Test Record 


11 . ; 


Start Vote 


12 . ; 


End Vote 


13 . ) 


Certify Vote 


14 . ) 


Security Alert 


15 . ) 


Power Failure 


16 . ) 


System Restart 


17 . ) 


Commands 


18.) 


Communication Processes 


19.) 


Voter Help Processes 


20.) 


System Shut Down Command 



15 The data sets, which comprise the audit trail, can be used 

to completely reproduce all events which occur during the voting 
day* This audit trail can be thoroughly reviewed after the 
election through off-line processing. The availability of the 
audit trail allows the reproduction of all system events. This 

20 validates the operational integrity of the system during its 
operation and satisfies the necessity to demonstrate system 
credibility. 

Processes that utilize this data would most probably be 
specifically defined by either a procedural specification to 

25 establish the system operation after an election or a specific 
event that necessitated an operational reconstruction. In any 
event, the uses of this data in post election processes are 
numerous. However, by way of example, a post election 
validation process is provided. 

30 By way of example, and in reference to Figure 9a, a post 

election validation process is provided. For this example, the 
specification is that the operation of the system is to be 
confirmed over a 30 minute time frame from 10:00 a.m. to 10:30 
a.m. 

35 To perform this, a specific procedure would read all of the ^ 

audit log entries that were processed over that time frame and 
provide a printout of the audit log data. Figure 9a is an n 
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illustration of how this printout of the audit log data might 
look. Verification utilizing this data could be performed by a 
human review of the data. 
Individual Voter Records 
5 The present invention defines an individual voter record to 

5 ensure secure, accurate and true election results. This is as 

shown in Figure 10, Electronic Voter Record and Vote Tally 
Processing Fiinctions cuid Method. The voter record is an 
electronic record of the ballot as cast by the voter i.e., a 
10 digital record of those votes cast by an individual voter. The 
individual voter record is an element of the system critical 
data and uses the critical data processes and methodologies 
previously defined. It is this record from which the totals of 
each electoral race are derived. The voter record is the 
15 electronic equivalent of a marked paper ballot. Each voter 
record is saved and can be used for later recounts. It can be 
printed off-line and manually recounted if necessary. The 
system does not merely provide vote totals of each race, but 
rather a complete voter record for each voter from which vote 
20 tallies are compiled. Each individual's votes can be clearly 
understood after the polls are closed. This allows for a 
meaningful recount and is used to verify that the software logic 
that correlates the voter's choices to the vote cast is correct. 
If for cuxy reasons such logic was incorrect, it then could be 
25 subsequently corrected and recounted. This is not possible in 
a system that saves only the total votes cast in each race. 

Security and accuracy are provided by the check sums 
created and stored with the voter record by the critical data 
processing functions. These check sums will result in an 
30 immediate security breach detection should any part of the voter 
record be tampered with. The critical data processes not only 
allow the tamped vote to be detected, but also allow the 
tampered vote to be changed back to the correct vote. This is 
an improvement over paper ballots in which an altered ballot may 

« 35 go undetected. If an alteration is detected on a paper ballot, 
it may not be possible to determine the voter's intent. 

^ As a final security and accuracy check, a vote tallying 
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process is incorporated in which two or more separate processes 
tally the votes. These separate processes produce a tally of 
each race from the voter records. These are then compared, and 
if equal, would result in a certified election result. The 
purpose of this method is to ensure that the vote tally process 
has no logical errors that could cause an incorrect election 
tally and eliminates human error as a source. In practice, the 
two or more tally procedures would be developed by different 
persons to ensure that while the tally function is the same, the 
actual logical processing would be different. This method 
eliminates the possibility of logical errors going undetected. 
The vote record process and method provides additional system 
security since votes are tallied from these records. A system 
that maintains a running total could be subject to fraud by 
tampering if the vote totals were adjusted. To effectively 
tamper with this system, each vote in each voter record would 
have to be found and individually adjusted. This is a near 
impossible task since many copies of each record are maintained 
throughout the system and each contains unique check sums and 
parity data as generated by the previously described critical 
data process and method. Additional protection of the critical 
vote record data is afforded through the use of separate memory 
systems and/or devices that contain redundant copies of the 
voter record and other system critical data. 



Security 

Defined security processing is fundamental to the design of 
this invention. Methods employed to monitor security include 
specific detection processing functions, statistical detection 
processing functions, and alert processing functions for 
displays to notify election officials. Figure 11, Security 
Processing Functional Block Diagram, depicts the processing 
defined for the security fxinction and includes the operator's 
required inputs in response to a security alert. Each 
occurrence of a detected security breach or suspected security 
breach is logged in the audit trail and the appropriate 
operation level (precinct, city, county or State) is required to 
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enter an alert response that becomes part of the operational 
audit trail. 

Security breaches are classified as one of three security 
alert levels: 

lievel 1 Alert ; 

An overt atten5)t to breach security has been detected and 
requires an iiomediate of ficial investigation and response. All 
levels are notified. 

Conditions generating a Level 1 alert are: 

1. Wrong code received on comraunications line. 

2 . Communications call received outside of call back 
time parameter 

3. Encryption data incorrect 

4. Wire tap detected 

5. Computer program self -validation fails 

6. Ballot interface codes incorrect 

7. Real time data verification fails 

8. Vote entry time before/after polls open 

9. Voter Record check sum fails 

Level 2 Alert; 

A potential breach of security has been detected which 
requires a local official investigation. 

If tanpering is suspected or proven, the next higher 
official element is notified and must acknowledge notification. 

Conditions generating a Level 2 alert are: 

1. Ballot key code previously used 

2 . Electronic ballot failure while voter is in booth 

3. Failure of ballot interface 

4. Power interruption to system 

5. Communications reconnect failture 

Level 3 Alert; 

A statistical condition exists that has generated a 
security alert and must be locally investigated. If a breach is 
confined, the next high official element is notified. 
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Conditions generating a Level 3 alert are: 

1. Electronic key card issued but not used after a 
predetermined time 

2 . Voter throughout exceeding predetermined level or 
precinct historical throughput of the day 

3 . Several voters exceeding average time to vote 

4 . Number of voters exceeds number of registered 

voters 

Each of these security alerts generate immediate operator 
alainns. The specifics of the security alert are displayed on 
the system operator's display. 

Statistical Data Processing and Methods 

An advancement in this voting system is the definition, 
collection, processing, and display of statistical real time 
data. Figure 12, Statistical Processing Function Block Diagram, 
shows the processing performed by each of the full system 
hierarchical elements and the statistical information provided 
at each level. When possible and appropriate, statistical 
ranges, means, modes, and averages are provided by this 
function. 

Specifically the following statistical infoimation is 
collected and displayed. 

A. Precinct Level; 

1. Total number of precinct registered voters 

2. Total number of voters and by party 

3 . Total number of ballot voting stations 

4. Voter throughput total, by each hour, and during 
last hour 

5. Average time to vote and range 

6. Number of help requests 

7. Average help time and range 

8. Number of poll workers 

9 . Total time poll open 

10. Lost time due to problems 

11. Number of security alerts 
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12, Election results 

-By office, candidate's name, and number of 
votes 

13 . Wait time estimation 

B. City/Countv Level; 

1. Same statistics as the precinct except totaled 
for an entire city or county 

2. All of the above is displayed on a precinct by 
precinct basis 

3. Operational status and number of voters by 

a. Legislative District 

b. Congressional District 

c. Council District 

d. Precinct District 



C. state Level: 

1. Same statistics as city coimty level except 

totaled for the entire state 
2- All of the above is displayed on a covmty by 

county or city by city basis 
3. Operational status and number of voters by 

a. Legislative District 

b. Congressional District 

c. Council District 

d. Precinct District 

The value of this on-line real time statistical data 
accrues to both election officials and the general public alike. 
Election officials can monitor the election to determine if a 
precinct is becoming crowded. This may allow them to shift 
added help from a slow precinct to one that has many voters 
arriving in a short period. Research has shown that definite 
community trends exist for preferences to vote before or after 
work or at other specific times of the day. Assessment of the 
statistical data can allow officials to tailor precinct voting 
systems and poll workers support to times that trends indicate 
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are heavy. Public release of this information can also be 
provided throughout the voting day to allow voters a better 
choice of when to vote. As a result, a better level of service 
is provided. 

5 

On-Line Diacmostic. Maintenance > Monitoring Processing 

The ability to continuously prove that the system is 
operating as required and to quickly detect, find, and fix any 
failure of the system are afforded through on-line continuous 

10 diagnostic maintenance, and monitoring processing functions. 
This functional process is shown in Figure 13, On-Line 
Maintenance & Monitoring Process Fimctional Block Diagram. 
Functions in this process include "Find and Fix Processing" to 
aid the system operator in repairing any failure to minimize the 

15 voting minutes lost. 

"Find and Fix Processing" is a continuous process that 
"repairs" problems of selected hardware components and logical 
processes incorporated in the system. These include interface 
word parity, bit detect, correct circuitry, as well as other 

20 processes. Other processes include check sum validation, test 
words and other continuous monitoring, and diagnostic testing. 
Fault Detection and Correction performed in these processes are 
termed "Soft Failures", i.e., a failure that could be corrected 
by the functions performed by the hardware and software of the 

25 system. When fault detection is reported through a scheduled 
run of the on-line maintenance, it is used to develop a 
statistical report that can be used to assess the overall 
"operational health" of the system, e.g., the number of 
communication line faults detected and corrected. By way of 

30 example, a 25 percent communication detect and correct fault 
rate may prove to be common and acceptable while a 50 percent 
rate may be determined to be enough degradation to warrant 
repair procedures. 

In fxirther reference to Figure 13, the present invention 

35 accounts for hard failures. Hard failures are failures that 
cannot be fixed through the incorporated process, e.g., a 
coit^lete loss of communication. In this case the "on-line 
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maintenance monitor function" immediately processes to determine 

the fault, reports the fault on the system operator's display, 

and performs processes to localize the failed item. The Find 

and Fix function of this process determines which component has 
5 failed and reports this to the operator via the maintenance 

monitoring operator display function. This will provide the 

operator assistance in repairing the system. 

Periodic fault detection is one of the functions performed 

by the election operational computer program and includes 
10 processes for both hard and soft fault detection and operator 

notification. Periodic testing includes verification of 

interfaces, ballot channel testing, communications test 

messages, cuid laxtvp tests. 

Operator display processing functions include fault display 
15 processes, fault alert display processes, specific operator 

instructions to fix system, and monitoring statistical 

processing functions. 

Results of all of these maintenance and monitoring 

processes are saved as part of the system audit trail. During 
20 a post election analysis, not only can events be verified, but 

the operational status of the system before, during, and after 

a particular event can be confirmed. 

System Displavs 

25 Displays at all levels of the system are significant to the 

present invention. The overall format for these displays is 
shown in Figure 14, Display Format. The purpose of displays is 
to provide a logical oper^itor interface to allow operational 
fianctions to be performed. The displays are specific and 
30 logically organized to limit the range of operator actions 
required to direct the system's operations. 

Physical manifestations of these displays may include 
color, "point and click" methodology, and other useful 
techniques. However, the defined operator actions and data 
35 displays are more importemt to the present invention. 

The System Display area is common to all displays and is 
» used to display legally required data such as public count and 
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precinct number. 

The Alert Display area is specifically reserved for 
operator alerts such as security alert and maintenance alert. 

The center area of the screen is a Selectable Data Display 
area. Data displayed in this area is selected by the operator. 

The Function Key Display area, at the bottom part of the 
screen, is used to display function key switches that can be 
accessed from a particular display and are changeable from 
display to display. These are known as "soft keys" i.e., keys 
whose functions are changeadDle by the computer program. 

The preferred embodiment of this display design 
incorporates the man-machine interface of the common "point and 
click" method. The displays may incorporate the use of colors 
and other features commonly available to enhance the utility of 
the displays. 

System Display Area 

Common elements displayed in the system area may be fixed 
cuid determined by the laws of the jurisdiction of use. These 
are typically displayed when the system is operational as shown 
in Figure 15, Typical System Display. Displayed elements 
include : 

1. Piablic Count 

2. Precinct Number, City/County, or State 

3 . Time Data 

4 . System Status 

5. Poll Status 

Color usage in this display may include the following 
backgrotind colors for the "Booth Operational" display. 
Green: Operational 
Red: Down or failed 

Yellow: A help alert has been processed. Operator 
can return square to green with "point and 
click" or system will reset to green when 
voter is done. 
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Alert Area 

This area is reserved specifically for the operator alert 
display area as shown in Figure 15. 

Alerts displayed include the following: 
5 A. Security Alerts 

1. Type of Security Alert 

2. Time of Alert 

3- Necessary Action 

B. Maintenance Alerts 

10 1. Typ^ of Maintenance Alert 

2. Necessary Action 

C. Procedural Alerts 

1. On-Line Test Ballot 

2. On-Line Test Card Writer /Readers 
15 3. Time to Open Poll 

4. Time to Close Poll 

D. Command Alerts 

1. Contact Message 

2. Open Poll 
20 3. Close Poll 

4, Estimate Voters Waiting 

5. System Shut Down 

E. Voter Help Alerts 

1. For example, a voter in booth "n" has requested help. 
25 In addition to the fixed alert data displayed, a set of 

alert control software switches are provided in a fixed area at 
the bottom of the alert area. Use of these switches are: 

1. HIPRI (Highest Priority) 

• Display highest priority active alert 

30 2. HELP 

• Display active help alert list 

3. NEXT 

• Display next alert in active alert list 

4. LAST 

35 • Display previous alert in active alert list 

5. REMOVE ALERT 

• Delete the displayed alert from the above list 
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6 . HISTORY 

• Display alerts from alert history list instead 
of the active list 

Selectable Data Display Area 

This area displays data as selected by the system operator. * 

Display Function Key Area 

The display fiinction key area is reserved for the display 
of point and click soft switches, i.e., keys whose functions 
vary depending upon the display and are defined by the software. 

Display Structure 

Figure 16, Precinct Hierarchical Display Structure, 
illustrates the hierarchical nature of the display processing 
organization. At start-up, the available screens, in sequence, 
are the start-up screen, pre-test and ready-to-vote screens. 
Figure 17, City/County Hierarchical Display Structure, and 
Figure 18, State Hierarchical Display Structure, show the 
display structures at the city/county and state levels. 

Once the poll is open and in voting status, all screens 
under "operational screens" are available to the operator. When 
a time period designated as "close polls" time is exceeded, a 
poll closing screen becomes available. This screen allows an 
operator to provide an estimated time to close the polls. This 
data is then transmitted to the next higher level system, if 
they are connected. It also provides a screen for local 
operator shut down of the polls' voting status. Once this 
occurs, the operator cannot return to any higher level screen. 
During certification and shut down processing, no operator 
inputs can be performed except for log entries. 

Figures 19 through 29 illustrate various display screens 
implemented with this specific design. Note that the return key 
and log entry key are always shown. A gray backgroxmd behind 
a key indicates that it is not available for operator entry. 
Other methods may be used to actually implement this fimction. 
The return key is used to return the screen displayed to the 



28 



wo 96/02044 



PCT/DS9S/08267 



next higher level of display as shown in Figure 19. This 
display design, and the data processed cuid displayed on these 
specific screens, are xinique attributes and specific 
improvements of this invention. 

5 

Logical Processing Functions 

Logical processing functions are significant to the present 
invention. A separate stand alone test function is used to 
verify the full system operation prior to an election. A 

10 separate operational election processing function used to 
actually operate and control the system during the election. 

At the city/county and state levels, a third off-line data 
processing function is provided. The processing performed by 
this function provides for a number of post election processes 

15 including recount processing, voter record printing and 
analysis, audit trail review and other processes that may be 
required by local laws. The post election process is tailored 
for each jurisdiction . 

20 Common Logical Processing Functions—Detaile d Description 

Functions common to all logical processing are The Self - 
Validation Fvmction and the Audit Trail Function. The 
incorporation of these functions is shown in Figure 30, Common 
Logical Processing Fxinctions. The Self -Validation processes are 

25 performed at system tu3m on as part of the system's start-up 
processing and periodically on a continuous periodic schedule. 
Audit trail processing functions are performed as scheduled by 
other systems processing fiinctions. 

30 Self -Validation Function 

As stated above, the Self -Validation Function is common to 
all logical processes utilized and is shown in Figure 31, Self- 
Validation Function. Its purpose is to ensure that each process 
may validate itself at run time and prove that it has not been 
35 tampered with. Additionally, the Self -Validation process 
ensures that no data has been lost through any type of failure. 
Specifically, at the time of manufacture, a check sum is 
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generated and stored with the logical processing command set, 
i.e., the program. The check sum is an overflow ignored, 
sequential addition of each command comprising the entire 
functional process. This number is then added to a security 
code number to produce a final program check sum. 

This produces a completely unique number for each set of 
logical processing commands. As shown in Figure 31, the mm 
time processing generates a calculated check sum. It is then 
compared with the checksum stored at the time of manufacturing. 
A fault occurs if they do not compare. This fault would cause 
the generation of a level 1 alert which signals that intentional 
tampering has been detected. Self -validation is run at system 
start-up, periodically during system operation, anytime the 
system is stopped and restarted, and anytime a fault condition 
is detected. This effectively precludes any direct tampering 
with the logical processing command set. 

As an additional security provision, a manually entered 
security code is entered by the operator. This code is added 
to the calculated code and checked against the stored checksum 
to validate that system operation is authorized. Failure of 
this check would also generate a level 1 alert. 

Audit Trail Logical Processing Function 

The audit trail is a significant in^rovement in the art and 
is preferably common to all system processing functions. The 
processing that generates the audit trail is shown in Figure 32, 
Audit Trail Processing. The audit trail is developed and 
recorded by the process Audit Log. The audit trail will allow 
every system event to be tracked after the election through off- 
line processing. 

Specifically, the audit trail is a time ordered digital 
recording of each system event that occurred during the 
election. A system event includes: (1) system start time, 

(2) operator commands, (3) test results, (4) start vote, (5) key 
card number issued, (6) key card number used, (7) electronic 
ballot input data, (8) voter start vote and stop vote time, and 

(9) external commands from higher level elements if they are 
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used. Additionally all required operator inputs, such as system 
alert and failure detection responses, are logged. 

Each major procedure in the present system uses an audit 
log procedure to schedule an audit record processing function. 
When combined with the voter records, a complete audit of every 
precinct event may thereby be reproduced. The operational 
integrity of the system can also be verified and validated by 
an analysis of operating historical records contained in the 
Audit Trail. 

Precinct System Detailed Description 

Figure 2, Precinct System Diagram, is a block diagram of 
the single-use precinct system. As shown, its major components 
consist of: (1) electronic ballots, (2) an electronic ballot 
interface, (3) a central precinct processor, (4) magnetic key 
card writers, (5) magnetic key card readers, (6) external 
communication components, (7) an operator control station, and 
(8) provisions for a separate memory media. The separate memory 
media contains operational logical processing functions and 
several redundant memories for recording vote data, system 
operation data, the audit trail and individual voter records. 
The memory media used for implementation of this invention may 
be any number of potential media including both volatile and 
non-volatile media. Examples include flash chips. Programmable 
Read Only Memory (PROM) , laser discs, or industry standard 
Personal Computer Memory Card International Association (PCMCIA) 
technology. 

All control auid data processing functions of the precinct 
system are performed by a central precinct processor and its 
associated logical processing fxmctions. Fiuictions performed 
include (1) overall operational control, (2) pre-election 
testing, (3) continuous diagnostic monitoring, (4) security 
monitoring, (5) electronic ballot control, (6) vote data 
collection, (7) audit trail data collection, (8) secure data 
communications, (9) time synchronization, and (10) operator 
interface display processing functions . The logical processing 
also builds and stores individual voter records, which are the 
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fvmctional equivalent of a paper ballot sind necessary for 
election certification and recounts. 

The precinct system is the lowest level of the hierarchical 
design. The precinct system can be operated as a total stand * 
5 alone system autonomously operating under its own logical 

processing control and collecting voter inputs or it may be » 
connected to a higher level system at the city/covinty and/or 
state level. Precinct level functions controlled from the 
higher level system are determined by the community in which the 
10 system is being used. 

Precinct System Hardware Components 
Electronic Ballot 

A significant feature of this invention is the electronic 

15 ballot as shown in Figure 33, Typical Electronic Ballot Layout. 
The electronic ballots are shown in a single -use designs 
manufactured specifically for a particular election. A main 
feature of this method is that the ballot has no restrictions 
for the design and layout of its face. It is designed new for 

20 every election and for each area of use. Thus, it can be 
tailored to ciny jurisdiction's unique requirements. It is 
representative of a "full face ballot". 

Presently, the technology used for the preferred embodiment 
of this design is membrane switch technology. This technology 

25 is flexible and cost effective to implement in a single -use 
design. This technology may also be replaced as newer 
technology becomes available at cost and in quantity for future 
systems. The specific design of the electronic ballot allows 
for all possibilities of voting including straight party voting, 

30 write-in voting and multi^vote races. "Tactile feel" of vote 
selection is provided by incorporating dome switches on the 
electronic ballot. Corresponding system vote selection is 
confirmed by illuminating a light emitting device that indicates 
the voter's selection(s) on the ballot face. Provisions are 

35 also made for write-in selection. In the ballot depicted in ^ 
Figure 33, the write-in provision is provided by an alphabetic 
keyboard with an associated display. In future systems, this ^ 
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may be changed to a touch sensitive screen where the voter may 
actually write in the vote. As this technology matures it will 
become less expensive and more accurate. Accordingly, 
incorporation may be provided on a cost effective basis. 

Another major feature of the single-use electronic ballot 
is the ability to design the face for each election without the 
ballot's physical limitations obstructing the presentation of 
the information. Presentation of data on the ballot can be 
distinct, providing party affiliation, as well as segregating 
party affiliation. Color and physical separation of issues 
without limitation can be used to clearly present the election 
choices to the voter. Figure 34, Rhode Island Sample Ballot, 
shows an implementation of an electronic ballot. It is a ""full 
face ballot" which can contain multiple languages including 
embossed Braille and/or candidate photos. 

The electronic ballot disclosed herein also provides a 
significant enhancement in system security. Election data on 
the ballot is applied at the time of manufacturing. It is 
therefore physically integral to the ballots' materials and 
cannot be tampered with. Any attempt to change the data would 
be immediately detectable by simple visual inspection as 
attempted tampering would result in obvious damage to the 
ballot. Unlike other prior art designs intended for use in 
several elections, the single-use design, manufactured for only 
one election, does not have iinused switches available to the 
voter. Such switches could lead to sophisticated tampering 
through either modification of the conqputer software to detect 
an imused switch or by moving the label associated with a given 
switch. Both unintentional and intentional ballot tampering are 
eliminated by this method. 

The final security provision of the electronic ballot is 
afforded by the chain-of -custody method of handling, as shown 
on Figure 5, Secure Single Use Voting System Method. The chain 
of custody method of handling precludes and prevents 
unauthorized access to the ballot prior to an election. 

The electronic ballot affords the following specific 
improvements on the state of the art. 
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(1) The ballot can meet exactly the appearance 
requirements of the law and is adaptable on a per 
election basis. 

(2) There are no row and column limitations, type size 
limitations, and the layout can contain logical, 
graphically identified separations to indicate 
different races, issues and political parties. 

(3) The names and issues are imprinted on the ballot 
during manufacture and are integral to the ballot 
(i.e.; laminated and/or printed into the materials 
during the manufacturing process). There is no 
opporttinity for ballot tampering by moving names 
around on the ballot face. 

(4) Since the ballot is specifically manufactured for a 
particular election, the only switches that are 
applied, and therefore available on the ballot face, 
are the ones where a vote is allowed. Therefore a 
collusion could not occur where an unused or 
"phantom" switch is used to record additional secret 
votes through tampering with the software. 

(5) Actual candidate pictures and flags representing 
party affiliation could be incorporated as part of 
the ballot data. 

(6) Embossed Braille could be incorporated as part of the 
ballot data. 

(7) The single-use design requires no additional life 
cycle costs after the election. 

(8) Any number of ballots may be used at the precinct. 
For general elections a write-in ballot is provided. 

The electronic ballot of this invention affords this 
function through the use of an alphabet keyboard with a display. 
Current implementation of this f xinction may use a liquid crystal 
display. Alteimatively, software may be used to read 
handwriting along with a touch sensitive screen where the voter 
could actually write in, rather than type-in, the caindidate of 
choice . 

Access by the voter to the electronic ballot is afforded 
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through the insertion of an electronic security key card. This 
key card contains a unique security code generated by the 
processing functions of the central precinct processor. When 
the key card is inserted into the electronic ballot, the central 
5 precinct computer checks to ensure that the code is currently 
valid. If it is, the ballot displays a "PLEASE VOTE" and the 
voter can begin making his/her selections. When the voter has 
conpleted making all selections, the key card is removed and the 
computer resets the ballot to quiescence and records the votes, 

10 A particular specific improvement of the electronic ballot 

design is the incorporation of a "HELP" button as shown in 
Figures 33 and 34. When the voter depresses this button, an 
alert will be received by the system operator that a voter using 
ballot "n" requires assistance. This effectively eliminates the 

15 current limitations of several voting machine designs where 
additional poll workers have to be stationed at each machine or 
the voter must otherwise attract attention to himself in order 
to receive help while in the booth. Present state of the art 
designs in actual use have caused mis-votes due to their lack 

20 of this "help" provision. 

Another improvement of this electronic ballot design over 
others is its fixed face that does not require voter control, 
such as paging through a number of interactive displays, to 
complete the voting. All election information is displayed 

25 "full face". The only voter action required is to depress a 
button that corresponds to the vote to be cast. Indicator 
lights, such as LEDs, confirm the selection made. Computer 
program control of the lights allows vote changes to be made by 
the voter until voting is complete. Removal of the voter's 

30 electronic security key card causes the votes to be recorded. 

Another advanced feature of the electronic ballot is the 
incorporation of a ballot "RESET" button as shown on Figxire 33. 
This allows the voter to reset the entire ballot cuad start 
35 voting again without casting the ballot. Note that the ballot 
is cast once the electronic security key card is removed which 
f is the last step in the voter's act of voting. This is a useful 

35 
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attribute to the voter and will help minimize voter confusion 
while in the booth. 

The method of access to the ballot, the availability of the 
"HELP" and "RESET" buttons, and the method of casting the ballot 
5 by removing the access key card are all included to aid the 
voter • 

The system computer program and the single use electronic 
ballot allow for a wide remge of voting options to be employed. 
As illustrated in Figures 33, Typical Electronic Ballot Layout 

10 and Figure 34, Rhode Island Sample Ballot, a wide range of 
candidates, parties, races and referendum issues may be 
accommodated for a general election. As shown in these Figures, 
accommodations are made for the selection of write-in votes, 
straight party voting, and individual candidate voting. 

15 Other ballot styles that can be accommodated by this 

combination of computer program and a single use ballot include 
the ballot styles used in primary elections. For these 
elections a jurisdiction may select a number of options as 
illustrated in Figures 35 through 40. These include a split 

20 ballot as shown in Figure 35; a split ballot with common 
referendum issues as shown in Figure 36; a split precinct ballot 
configuration as shown in Figure 37; or separate precinct 
systems as shown in Figure 38. Voter access to the appropriate 
side of the split ballot and/or the appropriate ballot of a 

25 split precinct is controlled by the issue of a party electronic 
access key card at the registration table . The conputer program 
used to read the party code only allows votes to be entered on 
the side of the ballot that corresponds to the voter's 
registered party. In the case of the split precinct option or 

30 the separate system options, the key card can only be used to 
cast votes on the appropriate party ballot. The provision for 
write-in candidates is generally not required for primary 
elections. 

A particular election related problem addressed by this 
35 invention is the issue of over voting and under voting in multi- 
vote races where the voter is instructed to "vote for no more 
than "X" number of the below candidates". The electronic ballot 
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and its associated computer program totally alleviate the 
problem of over voting by not allowing the voter to cast votes 
for more than "X" number candidates. 

Under voting is when a voter does not cast all his allotted 
votes for a race. The voter simply may not have desired to vote 
the full selection available. To improve the chamces that the 
voter will cast the full allotment of votes available, the 
electronic ballot can incorporate a coumter to provide positive 
feedback to the voter on the number of ^ votes cast. Figure 39, 
Multi-vote Race Ballot with Vote Counter, illustrates a 
potential embodiment of this part of the invention. As shown, 
a counter indicates to the voter the number of votes cast for 
the multi-vote race. 

Due to the single use ballot and its associated processing 
and control functions, a particular voting methodology is 
provided for the mult i -vote races where the voter may cast one, 
or more, or all of his allocated votes in the race for one 
candidate. Figure 40, Multi-vote Race with Multi-votes Per 
Candidate Allowed, illustrates how this would be inplemented on 
the electronic ballot. The use of the multi-vote coxinter and 
the vote indicator lights are improvements manifested by the 
flexibility of this invention. 

Over voting is eliminated by this system simply because the 
system will not accept more votes to be cast than allowed in the 
multi-vote race. Under voting cannot be controlled in such a 
positive manner because the voter may not desire to cast all of 
the allowed votes. It is intended that the use of the multi- 
vote counter, the mult i -vote race layout of the electronic 
ballot, and the incorporation of light indicators will improve 
the opportunity for a voter to understcind the number of votes 
available. This innovation is a general itt5)rovement on the 
overall state of the art. 

The interface between the electronic ballots and the 
central precdLnct computer is provided by interface circuits 
which provide the logic necessary to read the voter's switch 
actions, light the associated vote indicator lights, and convert 
logical data to digital data for interface with the precinct 
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processor. The precinct may contain any number of electronic 
ballots. The interface circuitry also provides all power 
required by the electronic ballots. This is an important safety 
improvement over the prior art. At the ballot, the only 
5 electrical current is low voltage direct current (DC) power. 
Therefore, the risk of accidental shock to a voter is 
significantly reduced. 

Central Precinct Processor 

10 Another major component of the single-use precinct system 

is the central precinct processor (CPP) . Like the electronic 
ballot, the CPP is afforded tamper resistance, both physically 
by its inherent design, and methodically through its single-use 
kit design and chain-of -custody handling. 

15 Figure 41, CPP Functional Block Diagram, shows the 

functions performed by the CPP. The physical manifestation of 
this invention would presently have these functions performed 
by a general purpose digital computer and an associated single 
purpose conputer program that contains the processor commands 

20 necessary to perform the CPP fxinctions. Physical manifestations 
of this invention may also use special purpose data processors, 
integrated circuits, or other technology to perform the logical 
processing fxinctions allocated to the CPP. 

The functions performed by the CPP include (1) continuous 

25 system testing and performance monitoring, (2) security 
monitoring, (3) magnetic security key card writing and 
validating, (4) electronic ballot control, (5) redxindant data 
storage, (6) audit trail processing cind storage, (7) voter 
record processing and storage, (8) operator interface 

30 processing, (9) election certification processing, (10) secure 
communications processing, and (11) statistical data processing. 

When the precinct system is interfaced to a higher level 
city/county suid/or state system, it will also perform the 
comaniinications functions necessary to allow the level of control 

35 specified by the user community. « 
The data storage function or memory, the specific design 
features of this invention, and the methodology of handling the t 
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memory medium itself before, during, and after the election are 
methods implemented to assure the fairness, integrity, accuracy, 
and tamper resistance of the election data. 

The design of the operational vote memory system and its 
5 chain-of-custody handling are also basic aspects of security 
afforded by this invention. It is contemplated that the 
physical implementation of the memory system will change as new 
technology affords advancement. Current technology, such as 
Personal Computer Memory Card International Association (PCMCIA) 

10 technology, is the preferred physical embodiment of the memory 
system. Other advances may well evolve over the life of this 
patent that in5>rove the physical implementation of the memory 
system, but the required functions will remain the same, i.e., 
redundcuit and separate records of the election. 

15 Once the precinct kit is assembled into a system at its 

point of use, it is tested using a stand alone test function. 
The test verifies the operation of all system components, 
including the correct operation of all electronic ballot 
switches, and confirms that the switch action is associated with 

20 the candidate issue shown on the ballot. This data is saved on 
the test memory medium by audit trail processing. Both the test 
functional processing and the stored test results are then saved 
for post election cuialysis. The operational election 
functional processing is provided by the system supplier. This 

25 function is developed and tested specifically for each 
individual election and is part of the single-use design of the 
entire precinct system. Multiple copies or memories bearing 
duplicate fiinctional processing commands are supplied for each 
precinct. The final step of the manufactxiring process is a 

30 comparison of the functional processing commands on each of the 
memories to ensure that the corxect command set is installed and 
that the commands have been transferred to the memories 
correctly* Once this verification has been performed, the 
multiple memories are placed in a sealed shipping container for 

35 shipment directly to the precinct of use. The sealed container 
is then opened by election judges at the precinct. A random 
selection is then made by the election judges and installed in 
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the CPP. 

When the system is energized, a self -validation logical 
process function will be performed, as shown in Figure 31, to 
ensure that the logical processing command set has not been 
tan5>ered with. A human controlled check will also verify the 
correct command set is installed. The system will display 
precinct information on the operator's display. The system 
operator will then confirm that the displayed precinct 
information is correct. 

This methodology assures the correct logical processing 
functions are in use, and that tampering, changing or failure 
of the logical processing command set has not occurred. In 
addition, this methodology it verifies the chain- of -custody from 
manufacture to use. 

The electronic security key card system is provided to 
allow only authorized voter access to the electronic ballot. 
This precludes the need for a polling official to be stationed 
at each booth to control ballot access. 

The logical processing functions of the central precinct 
processor generates the unique code that is magnetically written 
onto a magnetic strip of the electronic security key card. The 
code is generated when a registration worker requests the key 
card. The logical processing function that writes the code also 
reads back the code from the card to ensure that the correct 
code was written on the magnetic strip. The key card is then 
given to the voter. 

The voter takes the key card to the voting booth and 
inserts the key card into the electronic ballot's key card 
reader. The logical processing fiinction validates the key card 
as "authorized to vote" and sets the electronic ballot to accept 
the voter's selections. Once the voter has completed his 
selections, the key card is removed and the vote is cast and 
recorded . 

Precinct Logical Processing Functions 

Two logical processing functions are provided for the 
precinct system. They are the Stand-Alone Test and the 
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Operational Vote logical processing functions. 

Stand Alone Precinct Test 

The purpose of the stand alone pre-election test is to 
ensure that all system functions, and components are 
operational. The results of this test are saved. The stand 
alone test is tailored to suit the actual precinct operational 
environment. If the precinct is connected to a higher level 
system, all functions that are specified for higher level 
communications, as well as control functions, are validated by 
this test. 

Figure 42, Stand Alone Precinct Test, depicts the stand 
alone precinct test using standard structure flow charts. A 
detailed description of this processing follows. 

The first processing fxinction performed by the computer 
program is self -validation. This confirms that no tampering has 
occurred in the logical processing command set. This process 
is shown in Figure 15. Processing is then performed to 
initialize the operator's display and prepare it to receive 
data. It also establishes the interface processing necessary 
to receive operator inputs from the operator's keyboard. This 
processing will also test that the operator's display device and 
input keyboard are operational. 

The logical processing function then validates that it is 
appropriate for the precinct in which it is being used. This 
requires an operator's input. Detailed processing of the build 
valid precinct processing is shown on Figure 43, Build Valid 
Precinct. As shown, a primary piece of data input to this 
process is the system adaptation table. This allows one logical 
processing function command set to be designed to operate on 
several differently configured systems and reduces the overall 
cost of the system. The adaptation table is a run time 
parameter that directs the processes being performed so that the 
processing will comply with the specification of the individual 
system. A typical set of adaptation parameters is shown in the 
ST ADAPTABLE on Figure 43, Build Valid Precinct. This 
configuration of the adaptation table describes processing for 
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a fully implemented hierarchically controlled precinct. For 
jurisdiction designs that do not have a full hierarchical 
control element, the adaptation parameters are changed to modify 
the precinct processing so that such functions are not 
performed. The build valid precinct processing, shown in 
Figure 43, is processing that asks for the operator to enter the 
precinct number. The valid precinct number is read from the 
adaptation parameter table and con^ared with the operator 
entered precinct number. If they match, the valid precinct code 
is set true and stored for use by other processing. System 
operation then continues. 

The next process performed is the audit log start up 
processing. Detailed processing is shown in Figure 44, Start 
Audit Log, and Figure 16. This process clears and tests its 
reserved memory area. If it verifies all zeros, the audit log 
stores all system start up parameters. 

Further processing performed by the stand alone precinct 
testing validates the operation of all system components and 
logs all test results in the audit log table. The detailed 
processing is shown in Figures 43 through 49. All procedures 
executed by this process conclude with the audit log process. 
It is this process which generates the audit trail. 

The communications hardware connection and data processes 
are validated by the Run Commiini cat ions procedure shown in 
Figure 45 and the Test Communication procedure shown in 
Figure 46. All memories are tested to enstire that data can be 
read and written into them as shown in Figure 47. Security key 
card writer/readers are tested as shown on Figure 48. All 
electronic ballot interface and control fxinctions are tested as 
shown in Figure 49. 

Operational Election Logical Processing Function 

The purpose of the Operational Election Logical Processing 

Function is to perform functions through its operation that 

provides for the secure and accurate collection of votes and the 

tallying of votes for each electoral race. 

The detailed processing functions performed by the 
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operational precinct logical processing functions are shown in 
Figure 50, Vote Precinct. When the system is energized, it 
first validates itself as shown in Figure 31. This confirms 
that no tampering has occurred in the logical processing 
5 functions . 

> The initialization and verification of the system is 

performed as shown on Figure 51, Initialize and Verify System. 
This processing initializes the display console, and validates 
the precinct as previously described in the stand alone precinct 

10 test, as shown in Figure 42. It then reads, verifies, and 
stores this data in the audit log. The next function zeros all 
recording memories and verifies the zero recording. This 
processing also directly tests the memories as well. The 
initialization processing also establishes communication to the 

15 next higher level system if it is specified in the adaptation 
table. During the initialization processing, data provided by 
the precinct processor includes precinct test results, time 
synchronization, and precinct status. The final processing 
performed in initialization is a system test. This test is a 

20 statistically significant subset of the test performed by the 
pre-election stand alone test function and verifies that all 
system components are operational. Test conduct and results are 
saved in the audit trail and also sent to the next higher level, 
if it is present. 

25 Once the initialization and verification processing is * 

completed, the system begins the "ready to vote" process. This 
processing is shown in Figure 52, Ready To Vote. The first 
processing performed displays the current vote count and public 
count of the system . At this time , these displays should 

30 display zero (0) . This processing cycles until real time is 
greater than or equal to voting start time and the start vote 
command is set by the system operator as approved by the 
precinct election judge. See Figure 52. 

The run vote processing is shown in Figure 53, Run Vote. 

35 The first processing performed is the "allow interrupts 
procedure". This procedure allows the system to change from the 
quiescent stage of "ready to vote" in which all electronic 
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ballot and key card inputs are logically locked out to the 
operational status of vote. 

The record votes procedure is depicted in Figure 54 , Record 
Vote. Functional processing is performed to validate the * 
5 voter's key code. The key code verification is shown on 

Figure 55, Validate Key Card. This processing function checks » 
the valid code table. If it is valid, the process writes the 
code in the voter record. If it is not a valid code, security 
processing is performed and an operator alert display is 

10 generated. 

The second process performed in record vote is "run ballot" 
and is shown in Figure 56 as "Run Ballot n" . This processing 
reads the voter's input from the electronic ballot interface 
buffer. The vote input is then logged. 

15 The final process performed by the record vote process is 

to determine if the cast ballot flag is set. If it is, the 
critical data process is run to produce the voter record header, 
checksum, and parity data. The voter record is then stored and 
validated in the redundant memories. 

20 The "con5>ile vote records" process continuously tallies the 

totals for each candidate and issue. This processing is shown 
in Figure 57, Compile Vote Records. 

When the "end vote" command is received from the system 
operator and real time is greater than or equal to the end vote 

25 time, the system begins "end vote" processing. This process is 
shown in Figure 58, End Vote. This process locks out all 
electronic ballot interrupts and calculates the last vote 
totals . 

The final process performed at the precinct is "election 
30 certification" as shown in Figure 59, Certify Vote. First, a 
bit by bit coit^jarison is made of all memories. The Run 
Certification Recoxint Process, as shown in Figure 60, is also 
executed. It is this process which leads to a true election 
certification at the precinct level. As shown, two separate and 
35 distinct logical processes are employed to separately recount 
all the votes. The two separate logical processes are formed 
by two separate individuals who do not have contact with one ^ 
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another. Each logical process may be realized through two 
separate computer programs* Due to inherently different styles 
between different computer programmers, each logical process 
will be separate and distinct. This procedure also provides an 
5 error checking function to ensure programming integrity, i.e., 
* that a logical programming has not occurred. 

Each logical process simply counts each vote of each voter 
record for each race. However, these separate processes have 
a different iirplementation of the logical processing necessary 

10 to recount the votes. A difference in the final tallies would 
immediately determine that a logical processing earror existed. 
Each individual jurisdiction of use would specify what 
processing, actions, and/or methods would be perfoarmed for a 
failed precinct certification. 

15 At completion of certification, if commiinications are 

present, the precinct certification data is sent to the next 
higher system element. This process also displays the vote 
results at the precinct- Establishing a processing method to 
detect logical processing errors cind the incorporation of the 

20 on-line certification process are made part of this invention . 

Figures 61, End Precinct, shows the "end precinct" process. 

t This procedure locks out all inputs to the CPP and is used to 
bring the system to a known state prior to shut down. 

25 On-Line Statistics 

On-line statistics is another advance in this invention. 
The periodic processing performed by this procedure is shown in 
Figure 62, Statistics Processing Function. The data produced 
by the process is useful to both the public and election workers 
30 during the voting period and for election officials after the 
election. Statistics processed and available for display are: 
A. At the precinct level 

1. Total number of precinct registered voters 

2. Total number of voters and by party 

35 3. Total niimber of ballot voting stations 

4. Voter throughput total, by each hour, and during 
^ last hour 
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5. Average time to vote and range 

6. Number of help recjuests 

7. Average help time and range 

8. Number of poll workers 
5 9- Total time poll open 

10. Lost time due to problems 

11. Number of security alerts 

12. Election results 

In descending sequence by office, 
10 candidate's name, and number of votes 

13 . Wait time estimation 

14 . Precinct political division statistics including 
but not limited to: 

a. Legislative District 
15 b. Congressional District 

c. Council District 

d. Precinct District 
B. At the city/ county level 

1. Same statistics as the precinct except totaled 
20 for entire city or county. 

2. All of the above is displayed on a precinct by 
precinct basis 

3 . Operational status and number of voters by 
political division statistics including but not 

25 limited to: 

a. Legislative District 

b. Congressional District 

c. Council District 

d. Precinct District 
30 C. At the State level 

1. Same statistics as city coxinty level except 
totaled for the entire state. 

2. All of the above is displayed on a county by 
county or city-by-city basis. 

35 3. Operational status and number of voters by 

political division statistics including but not 
limited to: 
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a. Legislative District 
b- Congressional District 
c* Coiincil District 
Precinct District 
5 During the election, voter tliroughput and time to vote and 

> other data can be released as public information to assist 

potential voters in deciding when to vote. The information 
could also be used by election officials to identify low voter 
throughput precincts and determine how throughput can be 
10 itt5)roved during the election. After the election, analysis of 
this data can be used to establish better methods of providing 
voter service. 

Precinct System Displays 

15 A specific set of operator displays are provided at the 

precinct for the purpose of operator interface and control. 
These displays are limited by the display structure as shown in 
Ficfure 16. Figure 19, System Start Screen, is the precinct 
start up display which shows each start up operation completed 

20 and provides for specific operator inputs. This methodology 
affords an additional degree of security by requiring cin 
operational code entry. The operational code is provided by the 
system provider, and is sealed and shipped separately from the 
software . 

25 Figure 23 is the precinct statistics display. The display 

of the statistical data on line is a significant feature of this 
invention. Figure 24 depicts the Help Status display. 

Citv/Countv and State Level Systems and Processing 
30 The hierarchical design of this invention allows the option 

of having a centralized city/cotinty and/or state 
collection/control element as shown in Figtire 1. The amount of 
centralized collection and control performed by the higher level 
system elements is specifically determined by the laws of the 
35 jurisdiction where the system is being used. The inclusion of 
the city/county and/or a state processor within this design 
provides the system's remote recording electronic (RRE) 
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capability. The following detailed description of the 
city/county/ state level system describes a complete hierarchical 
control implementation in which any control function processing 
described could be excluded to accommodate jurisdiction laws or 
user requirements. 

The specific purpose of the city/county and state system 
is to provide the functions necessary to allow centralized 
collection of votes in a real time secure manner and perform 
automated vote tallying at the city/county and/or state level. 
To perform this, functions are included for (1) secure 
communications, (2) data verification, (3) vote compilation, 
statistical data processing, (4) election certification, 
(5) public count and display, and (6) electronic data release. 

As shown in Figure 3, the city/county system comprises the 
next higher collection and control element of the overall system 
cibove the precinct system. Some city/county systems will be 
further linked to the higher state level system as shown in 
Figure 1. 

Figure 3 shows the con5)onents that comprise the city/county 
processing system. The city/county processor is a general 
purpose data processor. It is connected via a network 
controller or a functionally equivalent device to precincts, the 
state system if in use, and various putolic release subscribers 
through a one way data commxinications device. 

The system provides for operator interface through the 
incorporation of a display, keyboard, and a set of specific data 
displays for the display structures as defined in Figures 16, 
17 and 18. To facilitate the large numbers of persons who 
generally monitor the election from the city/bounty election 
offices, a provision has been made for a large screen projection 
display control station. The displays available are limited to 
data displays only. No control displays are available to the 
large screen projection display. Therefore, they are a subset 
of the displays of the city/county status display as shown in 
Figure 17. 

Redundant data storage is provided through "n" memory 
systems. A mail-in vote entry station is provided for the entry 
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of absentee vote data. A physical key switch is also 
incorporated to allow security for supervisory level actions. 

This hardware configuration is controlled by the logical 
processing functions of the city/coiinty processor. The 
processing functions for the city/county processor include a 
pre-election test function, an operational election function, 
and post election processing functions. 

Data communications between the city/coiinty processor and 
the precincts are controlled by the city/coxinty processor and 
a network controller or a functionally equivalent device. The 
network controller is electrically connected to a modem and a 
data encryption device. This configuration performs the 
encrypted data transfer over standard telephone lines as shown 
in Figure 1. Wireless, optical cable, and other data 
connections may also be used. Interface to the State level 
system. Figure 4, is afforded in the same manner. 

Information generated by the city/county processor for 
public information release is transmitted to subscribers via a 
non-encrypted communications fxinctional device. This line is 
a controlled one direction communication link for the 
city/coiinty system to the subscriber. The system will only 
connect to subscribers it has called and it will not receive any 
data over these lines. The logical processing functions of the 
city/ county processor continuously performs secvirity processing 
to 

monitor all exterior conditions. 

An interface is provided for a mail-in ballot station. 
This interface allows mail -in votes to be integrated with the 
data collected from the precincts and automatically counted. 

As shown in Figure 1, a maintenance /monitoring system is 
provided to allow the system provider to monitor the operating 
status of all systems in the election. The purpose is to allow 
for centralized support in the event of a failure at any level 
of the system. This allows for senior level decisions and 
failure procedures to be directed and monitored by supervisory 
level personnel. 
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City/County Processor Logical Processing Functions 

Three general functions are performed by the city/county 
processor: 

A. Pre -Election Stand Alone Test Fiinction 
5 B. Operational Election Function 

C. Post Election Processing Function 
Control functions performed by the city/ county and state 
processors, as shown in Figure 63, include (1) time 
synchronization, (2) commtmi cat ions control, (3) vote 
10 authorization, (4) poll opening, (5) poll closing, (6) election 
certification, (7) election status display, (8) poll restart 
commands, cind (9) maintenance commands. These control functions 
are changed for each jurisdiction to accommodate local laws and 
community desires and may be entirely eliminated. 

15 

Pre-Election Stand-Alone Test Function 

The purpose of the pre-election stand-alone test function 
is to test and verify the complete operation of the entire RRE 
system prior to the conduct of the election as shown in 

20 Figure 64. Processing performed by this function emulates all 
processes to be performed during the actual election and 
includes all communications, data verification, data collection 
and operator processing. The city/county processor collects and 
records the stand alone precinct test results, their audit 

25 trails, amd creates and records its own audit trail. These 
records will form a critical part of the evidence required to 
validate the system' s operation if any challenges should be made 
to am election result generated by the system. The pre-election 
test function command set and the data created and processed 

30 during the pre-election test are inpounded and archived after 
the test. 



Detailed Description of the Citv/Countv Pre-Election Test 
Function 

35 Figure 64, Pre-Election Test Function, depicts the overall 

pre-election test processing at the city/county level. The 
first process performed is the self -validation process as shown 

50 



wo 96/02044 PCT/DS95/08267 

in Figure 15. If this test passes, then the data storage areas 
are validated and zeroed to assure that no failed memory 
locations are present in the data storage area as shown in 
Figure 65, Verify Storage & Set Precinct VO. 
5 As shown in Figure 66, Set Up Precincts & VO Chaiinels, 

communication preprocessing is performed to set up input 
channels to commxinicate with valid precincts. Commxini cat ions 
processing waits for communications to begin when each precinct 
calls. When the precinct coramxanications are established, the 

10 transmitted security . code from the precinct is validated. The 
system then hangs up at that point and builds a call back 
schedule. This processing is depicted in Figure 67, Process 
Secxire Communications . This processing is started by an initial 
precinct call in. 

15 Once a precinct has been validated, open communication 

processing recalls the precinct and establishes commtmi cat ions 
as shown in Figure 68, Open Commimications . 

Data input to the city/ county processor from the precincts 
is validated and stored in redundant memories as shown in 

20 Figure 69, Collect Pre-Test Data. Input data is validated by 
verifying the precinct data checksum. 

If this test passes, the data is stored in redundant memory 
locations. If a failure occurs, then the input /output fault 
process is scheduled to run. 

25 Pre-test certification is run at the end of the pre-test 

after all data has been collected as shown in Figure 70, Certify 
Pre-Test. This process validates that the data received from 
each precinct agrees with a test script. Certification is good 
if the received data is in agreement with the scripted data 

30 expected. 

In the event of a failed certification, a certification 
failed process is performed. The specific processing performed 
by this process is implemented specifically as required by the 
desires and laws of the jiirisdiction of use. 
35 The shut down pre-test process closes all in/out channels 

and brings the system to known quiescence so that power can be 
turned off. Once this is done all memory media from the system 
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components is removed, sealed and impounded as shown in 
Figure 5. 

Operational Election Logical Processing Function 
5 The Operational Election Logical Processing Function is 

used for the conduct of the official election and is shown in 
Figure 72. After Self -Validation, secure communications 
processing is performed to establish communication with its 
connected precincts. 
10 When the communications link to the precincts is 

established, the validate precinct processing shown in Figure 73 
is performed. 

Once the precinct connection is established and confirmed, 
an election pre-test is performed to validate the operation of 

15 the RRE system with the operational election software. This 
pre-election test is a statistically significant subset of the 
stand alone pre-election test previously described. The results 
of this test are also certified as described in the stand alone 
test processing. This process is illustrated in Figure 72. If 

20 the Pre-Election Test is successful, the polls are opened as 
shown on Figure 71, Open Polls Command. 

Figure 73, Rion Secure Communications, shows the processing 
performed by the secure communications procedxire of the 
city/co\inty processor. The first function performed is the set 

25 up of a randomly generated hang-up call-back process as shown 
in this Figvure. This processing determines (1) when the next 
call to a precinct will be made, (2) whether the call will be 
initiated by the precinct or the city/ county processor and 
(3 ) the duration between calls . Security processing is 

30 initiated if the time between calls is exceeded or if a 
connection can not be established. 

Once the communication link is established, a series of 
security codes are exchanged validating that both the correct 
connection has been established and that no line tampering 

35 and/or tapping has occurred. During this time, the precinct 
software is checked for tampering. Again any failure detected 
would invoke special security processing that would alert the 
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system operators and trace the suspected security breach. 

The next process performed by the secure communication 
procedure is to validate the precinct and confirm its processing 
status. If the precinct is valid and the precinct is in voting 
5 status^ a secure communications routine sets up a read vote data 
« command . 

These read vote commands are based on the end time of the 
last communication minus five minutes to current time. The 
duplication of retransmitting the data already stored from the 
10 last read is a double check of the data being received. See 
Figure 74, Validate Precinct. 

The next procedure performed collects and verifies the vote 
data. The collect vote data procedure is shown in Figure 75, 
Collect Vote Data. The procedure reads the data from the time 
15 of last call minus "X" minutes to current time. The data is 
then retransmitted back to the precinct and verified. If the 
data is good, the process stores the valid election data. If 
it is not good, the process will retry three (3) times before 
activating security processing to determine the cause of the 
20 failxire. 

A feature of this invention is the centralized on-line 
certification capsibility. The processing required to perform 
this procedure is shown in Figure 76, Certify Election . 

Once the precinct goes to poll closed status, the precinct 

25 processor performs the precinct level certification. At the 
conclusion of this process, the precinct sends a status of 
"certification done" to the city/county processor. If the 
precinct certification is gpod, the certify election procedure 
reads in a conplete set of vote data and the audit log. A bit- 

30 by-bit comparison of the certified precinct data and the data 
coitpiled over the course of the election at the city/ county 
level is then made and the entire vote is recoxinted and compared 
with the certified precinct tallies. If the status of these 
comparisons is good, the certification procedure establishes the 

35 good election status and displays certification complete. The 
certification processing is a critical part of this invention. 
The specifically defined voter record and critical data 
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processing methods of the present invention enable the foregoing 
process. Local election officials will specify the processing 
and/or procedures to be performed if on-line certification 
fails. This will be implemented on a per election, per location 
basis. 

These voter records are used by several different logical 
vote counting processes which will eliminate the possibility of 
logical processing errors or mistakes which would provide an 
erroneous election result . The display election procedure shown 
in Figure 77, Display Election Returns, is then processed to 
display the election results. The controlling official at the 
city/coxinty level can then, if desired, release the election 
results electronically to any connected siibscribers . If certain 
races Ccinnot be certified, the release would indicate 
"preliminaiy results-count with 'X' precincts certified". The 
final process performed by the city/county processor is the 
"shut down" process depicted in Figure 78, Shutdown Election. 

City/County Displays 

The city/coxmty displays are similar to the precinct level 
displays. Figure 25, City/County Status Display, shows the 
status of the entire city/county system. Figure 26, City/Coimty 
Statistics Display, shows the county statistics. This selection 
can include city/county political divisions such as council 
districts, congressional districts, and others. 

Figure 27, Select Precinct Display, allows the operator to 
select individual precinct data for display. The operator can 
select either the precinct status or statistics display. 

City /County Off -Line Data Processing Function 

The purpose of this function is to provide for access and 
analysis of the election records saved during the election. 
Figure 10 shows the functions performed by the off-line post 
election computer program. The system necessary for this 
processing is shown in Figure 3. The functions required for 
post processing will vary from county to coxinty; however, the 
basic fiinctions provided are: 
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4. 



3. 



2. 



Review precinct "X" voter records 
Review precinct "X" audit trail 
Compile statistics 
Print data 



5 



5. 



Review mail- in voter records 



6. 



Recount race 



8. 



7. 



Review time sequence 
Display test data 



10 State Level System 

Figure 4 shows the optional state level system of the RRE 
system • This system configuration cind its logical processing 
fvmctions are the same as those described for the city/ county 
system except that the state system inputs are from connected 

15 city/county systems aind that the election display and tally 
fxinctions cover the entire state. 



I claim: 

1. A recordable voting system audit trail detailing a 
plurality of voting system events which occur at a plurality of 
corresponding times in a time ordered sequence con5)rising: 

5 record unique data including voting system event 

information corresponding to a voting system event of said 
plurality of voting system events; and 

a time tag indicating a time corresponding to when the 
voting system event occurred. 

10 

2 . The recordable voting system audit trail according to claim 
1^ further comprising: 

a recordable medium which records the record unique data 
cind the corresponding time tag; 
15 a log entary time corresponding to the time that the record 

unique data and time tag are stored in the recordable medium. 

3. The recordable voting system audit trail according to claim 
1, further comprising: 

20 a plurality of record unique data including a corresponding 

plurality of voting system event information, each detailing a 
voting system event; and 

a plurality of time tags indicating a plxxrality of 
conresponding times when said voting system events occurred. 

25 

4 . The recordable voting system audit trail according to claim 
3, further comprising: 

a recordable medium which records said record unique data 
and said corresponding time tags; 
30 a plurality of log entry times corresponding to the times 

that the critical data elements and time tag are stored in the 
recordable medium. 

5 . The recordable voting system audit trail according to claim 
35 1, wherein said time tag is comprised of a plurality of digital 

information bits and said audit trail includes a critical data 
element which includes said time tag, said audit trail 
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comprising: 

a critical data element header having a number of digital 
information bits corresponding to a predetermined data type of 
a plurality of data types and a predetermined number of digital 
5 information bits indicating said time tag; and 

a header checksum which indicates a number of data bits in 
the critical data element header. 

6 . The recordable voting system audit trail according to claim 
10 1, wherein said time tag is comprised of a plurality of digital 
information bits^ said critical data element comprising: 

a data checksum which indicates a number of data bits in 
the record unique data. 

15 7 . The recordable voting system audit trail according to claim 
1, wherein said time tag is comprised of a plurality of digital 
information bits, and said audit trail includes a critical data 
element which includes said time tag, said audit trail 
comprising: 

20 a critical data element header having a number of digital 

information bits corresponding to a predetermined data type of 
a plurality of data types and a predetermined number of digital 
information bits indicating said time tag; and 

a header checksum which indicates a number of data bits in 
25 the critical data element header; and 

a data checksum which indicates a number of data bits in 
the record unique data. 

8 . The recordable voting system audit trail according to claim 
30 7 further comprising: 

a critical data element checksum which indicates a number 
of data bits in the critical data element . 

9. A voting system individual voter record detailing voter 
35 information corresponding to a vote cast by a voter, said 

individual voter record comprising: 

a critical data element header including a time tag 
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indicating a time corresponding to when the voting system event 
occurred; and 

voting system event information corresponding to a voting 
system event of said plurality of voting system events. 

10. The voting system individual voter record according to 
claim 9, wherein a voter key card includes voter key card 
identification information, said individual voter record further 
comprising: 

a voter key card identification corresponding to said voter 
key card identification information . 

11. The voting system individual voter record according to 
claim 9, wherein a voter enters a vote into a voting system, 
said individual voter record further conprising: 

ballot data indicating the vote selected by the voter in 
the voting system. 

12. The voting system individual voter record according to 
claim 9, wherein a voter enters vote information into a voting 
system including a plxirality of electronic ballots, said 
individual voter record further comprising: 

a start time indicating a time when the voter initiated 
entry of the vote information into the voting system; 

an end time indicating a time when the voter ended entry 
of the vote information into the voting system; 

an electronic ballot niimber corresponding to a 
predetermined electronic ballot of said plurality of electronic 
ballots; and 

a ballot checksum indicating a number corresponding to the 
start time, end time and electronic ballot number. 

13. The voting system individual voter record according to 
claim 12, further conprising: 

elapsed time information corresponding to a difference 
between said start time and said end time; 
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14 . 12 • The voting system individual voter record according 
to claim 9 wherein the critical data element header has a number 
of digital information bits corresponding to a predetermined 
data type of a plurality of data types and a predetermined 
5 number of digital information bits indicating said time tag^ 
said individual voter record further cort5)rising: 

a header checksum which indicates a number of data bits in 
the critical data element header. 

10 15. A remote recording conputer voting system comprising: 

a precinct system comprising a plurality of individual 
voter ballots, wherein each individual voter ballot receives a 
corresponding plurality of voter information; 

a remote centralized vote collection station in a remote 
15 geographical location from said precinct system and in 
electrical commxmication with said precinct system which 
receives said plurality of voter information from said precinct 
system. 

20 16. The remote recording computer voting system according to 
claim 15, wherein each of the plurality of individual voter 
ballots is a disposable voter ballot, said voting system further 
comprising: 

a precinct processor disposed within the precinct system 
25 which communicates with the plurality of voter ballots to 
receive voter information therefrom; and 

a nonvolatile memory connected to the precinct processor 
for storing the voter information received from the precinct 
processor. 

30 

17. The remote recording computer voting system according to 
claim 16 wherein the precinct processor provides a centralized 
start and central stop command to each of the plurality of voter 
ballots, said precinct processor providing encrypted data 

35 transmission between with each of the voter ballots. 

18. The remote recording computer voting system according to 
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claim 15 further comprising: 

a second precinct system comprising a plurality of second 
individual voter ballots, wherein each of said second individual 
voter ballots receives a corresponding plurality of second voter * 
5 information; 

wherein the remote centralized vote collection station is r 
in electrical communication with said second precinct system and 
receiving said second plurality of voter information from said 
second precinct system. 

10 

19. The remote recording computer voting system according to 
claim 15 further comprising: 

a first modem encrypter electrically connected to the 
precinct system for encrypting said voter information; 
15 a second modem encrypter electrically connected to the 

remote centralized vote collection station and in electrical 
communication with said first modem receiving said voter 
information from said precinct system. 

20 20. A method of electronically producing a voting event record 
for a voting event con5>rising the steps of: 

electronically recording a voting event time; 
electronically recording a voting event category 
representing a category of a voting event; and 
25 electronically recording event data corresponding to the 

voting event. 

21. The method according to claim 20 wherein the voting event 
is one of a plurality of voting events, said method comprising 

30 the step of recording each of the plurality of voting events in 
a time ordered sequence. 

22. The method according to claim 20 said method fxirther 
comprising the step of producing word parity information for 

35 each word of the saved data. 

23. The method according to claim 20 said method further * 
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con^rising the steps of: 

producing a data type unique header to specifically 
identify the voting event record; and 

formulating an event data checksum representing a number 
5 of electronic data bits required to store the event data. 

24. The method according to claim 20, wherein said method 
further comprises the step of: 

formulating a header data checksum representing a number 
10 of electronic data bits required to store the data type unique 
header, the voting event category, and the header checksum 
itself - 

25. The method according to claim 20, wherein said method 
15 further comprises the steps of: 

producing a data type unique header to specifically 
identify the voting event record; 

formulating an event data checksum representing a number 
of electronic data bits required to store the event data; 
20 formulating a header data checksum representing a number 

of electronic data bits required to store the data type unique 
header, the voting event category, and the header checksum 
itself; and 

formulating a total data checksum representing a number of 
25 electronic data bits required to store the voting event time, 
voting event category, event data corresponding to the data 
event, the data type unique header, the event data checksum, the 
header data checksum, and the total data checksum. 

30 26. The method according to claim 25, wherein said voting event 
category, event data corresponding to the data event, the data 
type unique header, the event data checksum, the header data 
checksum, and the total data checksum all form a critical data 
element, said method further comprising the step of storing the 

35 critical data element. 

27. The method according to claim 25 further comprising the 
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Step of electronically recording a log entry time. 
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FIGURE 65 • Verify Storage & Set Prednct I/O 
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